Skip to main content
Learning Center
Fraud BasicsIntro to Criminal Infrastructure

Intro to Criminal Infrastructure

Understanding the underground fraud economy - dark web markets, criminal tools, and how fraud operations are organized

Intro to Criminal Infrastructure

Understanding the underground economy that powers modern fraud

The BidenCash Empire: A Real Criminal Business Story

It was March 2022 when the administrators behind BidenCash launched what would become one of the world's largest stolen credit card marketplaces. Operating from the shadows of the dark web, they built something that looked remarkably like Amazon - but for criminals.

The Business Model

BidenCash wasn't run by a lone hacker in a basement. It was a sophisticated criminal enterprise with customer accounts, transaction histories, search functions, and professional customer service. The administrators charged a fee for every transaction, just like any legitimate e-commerce platform.

Building Market Trust

In October 2022, BidenCash did something that would make any marketing executive proud - they published 3.3 million stolen credit cards completely free. Each "sample" included everything a criminal needed: credit card numbers, expiration dates, CVV security codes, account holder names, addresses, email addresses, and phone numbers. It was a massive marketing campaign designed to prove the quality of their stolen data and attract new customers.

The Growth

The strategy worked. Over three years, BidenCash grew to serve 117,000 customers worldwide. They trafficked over 15 million stolen payment card numbers and generated more than $17 million in revenue. They operated multiple domain names for redundancy, used cryptocurrency for payments, and built the kind of customer base that legitimate businesses dream of.

The Investigation

What the BidenCash administrators didn't know was that law enforcement agencies across multiple countries were watching. The U.S. Secret Service's Frankfurt Office, FBI Albuquerque Field Office, Dutch National High Tech Crime Unit, The Shadowserver Foundation, and Searchlight Cyber were building a case.

The Takedown

On June 4, 2025, the criminal empire came crashing down. U.S. law enforcement seized approximately 145 darknet domains, confiscated cryptocurrency funds, and redirected all BidenCash marketplace traffic to government-controlled servers. Three years of criminal infrastructure - gone in a coordinated international operation.

The Reality Check

BidenCash wasn't an anomaly. It was a glimpse into how modern fraud really works - as organized criminal businesses with professional infrastructure, customer service, marketing strategies, and revenue models that can operate for years while serving hundreds of thousands of customers worldwide.

This is the true story of criminal infrastructure in action, documented in the U.S. Department of Justice press release from June 4, 2025.

The Criminal Ecosystem: It's Not What You Think

Most people imagine fraud as individual criminals working alone from their basements. The BidenCash case proves this assumption is dangerously wrong. Modern fraud operates like a global business with supply chains, specialization, customer service, and even quality control.

Welcome to the criminal underground - a multi-billion dollar economy that funds everything from small-time scammers to international organized crime.

The Fraud Supply Chain

Modern fraud works like any business - with suppliers, manufacturers, distributors, and end users.

Data Suppliers (The Raw Materials)

These are the criminals who gather the personal information that makes fraud possible.

What they do: Steal personal information through data breaches, phishing emails, or malware installed on computers.

What they sell:

  • Fullz - Complete identity packages including Social Security Number, date of birth, address, and mother's maiden name
  • CVVs - Credit card numbers with the 3-digit security codes from the back
  • Bank logs - Username and password combinations for online banking accounts
  • Email credentials - Access to email accounts, which can be used to reset passwords for other accounts

Real example: A single data breach can yield millions of records that get sold for $1-$50 each depending on how recent and complete the information is.

Tool Makers (The Technology)

These criminals create the software and services that other criminals use to commit fraud.

What they do: Develop specialized software and online services for fraud operations.

What they sell:

  • Carding tools - Software that automatically tests stolen credit cards to see which ones still work
  • Proxy services - Technology to hide a criminal's real location when committing crimes online
  • Fake ID generators - Programs that create realistic-looking fake driver's licenses and documents
  • Automated bots - Software that can attempt fraud on thousands of websites simultaneously

Operators (The Workforce)

These are the people who actually execute fraud schemes using the stolen data and tools.

What they do: Use purchased stolen data and criminal tools to commit actual fraud.

Specializations:

  • Account openers - Specialize in creating new fraudulent bank accounts, credit cards, or online accounts
  • Cashers - Focus on converting stolen funds into physical cash that can't be traced
  • Social engineers - Experts at manipulating people over the phone or email to reveal information or send money
  • Technical specialists - Handle complex cyber attacks that require programming or hacking skills

Money Launderers (The Exit Strategy)

These criminals specialize in making stolen money disappear from the financial system.

What they do: Take "dirty" money from fraud and convert it into "clean" money that can't be traced back to crimes.

Methods:

  • Cryptocurrency mixing - Use special services to obscure the trail of cryptocurrency transactions
  • Money mules - Recruit innocent people (often through fake job offers) to receive and forward stolen money
  • Shell companies - Create fake businesses to make illegal money look like legitimate business income
  • High-value goods - Buy expensive items like jewelry or electronics that can be easily resold for cash

Dark Web Markets: The Amazon of Crime

The dark web (parts of the internet that require special software to access) hosts sophisticated marketplaces where criminals buy and sell fraud services.

Market Structure

These criminal marketplaces are surprisingly professional and sophisticated.

Professional marketplace features:

  • Customer reviews and ratings (just like Amazon)
  • Vendor verification systems to ensure sellers are legitimate
  • Escrow services that hold money until buyers confirm they received what they ordered
  • Customer support chat for when things go wrong
  • Bulk purchase discounts for buying large quantities

Popular categories you'll find:

  • Financial data - Stolen credit cards, bank account information, complete identity packages
  • Documents - Fake IDs, passports, utility bills, and other official-looking documents
  • Services - Money laundering, hacking services, and even more serious crimes
  • Tools - Malware, hacking software, and fraud automation programs

Quality Control

Just like legitimate businesses, criminal markets have quality control systems:

Freshness ratings: Recently stolen data costs more because it's more likely to still work. Old stolen credit card numbers may have been canceled by banks.

Success rates: Vendors track which cards and accounts still work so buyers know what they're getting. Think of it like product reviews on Amazon.

Replacement guarantees: If a stolen credit card doesn't work, vendors replace it within 24 hours - better customer service than many legitimate businesses!

Fraud protection: Criminal markets actually protect buyers from vendor scams. The irony is that criminals have built systems to prevent other criminals from defrauding them.

Real pricing examples:

  • Fresh US identity package (fullz): $15-$50 each
  • Working credit card with security code: $5-$15
  • Bank login credentials: $50-$300
  • Complete fraud tutorial with step-by-step instructions: $100-$500

Criminal Specialization: The Division of Labor

Modern fraud operations divide work among specialists, just like any large business.

Data Brokers

Role: These criminals specialize in acquiring and selling stolen personal information.

Skills they need: Computer hacking, social engineering (manipulating people), or having insider access at companies with valuable data.

Income potential: Successful data brokers can earn $50,000-$500,000+ annually.

Account Manufacturers

Role: These specialists create fraudulent accounts using stolen identities.

Skills they need: Understanding how to combine stolen information into believable fake identities, document forgery, and knowledge of how financial systems verify customers.

Main challenge: Bypassing "know-your-customer" (KYC) verification - the process banks use to confirm you are who you say you are.

Cashout Specialists

Role: These criminals focus on converting fraudulent transactions into real money that can be spent.

Common methods:

  • Making ATM withdrawals using cloned credit cards
  • Purchasing high-value goods that can be easily resold (like electronics or gift cards)
  • Using peer-to-peer payment apps like Venmo or Zelle
  • Converting stolen money through cryptocurrency exchanges

Money Mules

Role: These people (often unknowingly) receive and forward stolen funds.

How they're recruited: Through fake job postings promising easy "work from home" opportunities moving money for "international businesses."

Typical profile: Often legitimate people facing financial hardship who don't realize they're participating in money laundering.

Legal danger: Money mules can face serious money laundering charges even if they didn't know they were helping criminals.

Criminal Communication and Operational Security

Fraud operations use sophisticated methods to communicate and protect themselves from law enforcement.

Communication Channels

Criminal organizations use multiple layers of communication to avoid detection:

Encrypted messaging apps: Apps like Signal, Telegram, and Wickr offer end-to-end encryption, making it nearly impossible for law enforcement to intercept messages.

Dark web forums: Private forums serve as meeting places where criminals share techniques, sell services, and coordinate operations.

Burner phones: Frequently changed phone numbers and prepaid phones that can't be traced back to real identities.

Code words and slang: Criminals develop their own language to discuss illegal activities without explicitly mentioning crimes. "Cooking" might refer to money laundering, "shopping" might mean credit card fraud.

Operational Security (OPSEC) Practices

Fraud operations follow strict security protocols:

Virtual Private Networks (VPNs): Hide real IP addresses and locations when conducting online fraud.

The Onion Router (Tor): This browser routes internet traffic through multiple servers worldwide, making it extremely difficult to trace a user's location.

Multiple cryptocurrency wallets: Funds are frequently moved between wallets to obscure money trails.

Compartmentalization: Organizations operate in separate cells where members only know what they need for their specific role, limiting damage if someone gets caught.

Anti-forensics techniques: Software that automatically deletes files, encrypts hard drives, and wipes digital evidence if computers are seized.

Recruitment and Vetting

Criminal organizations have developed methods for finding and evaluating new members:

Online recruitment: Job posting sites, social media, and dating apps are used to target people in financial distress.

Referral systems: Trusted members vouch for new recruits, creating a network effect.

Test assignments: New recruits get small, low-risk tasks to prove reliability before being trusted with larger operations.

Background checks: Organizations perform their own "background checks" to ensure new members aren't law enforcement or likely to become informants.

Gradual escalation: New members start with minor roles and gradually gain access to more sensitive operations.

Money Movement Security

Several methods are used to move and hide stolen money:

Layered laundering: Money passes through multiple accounts, businesses, and cryptocurrency exchanges to create complex trails.

Cross-border movement: Funds move through different countries with varying banking regulations to exploit jurisdictional gaps.

Time delays: Waiting weeks or months between stealing money and cashing it out to avoid detection systems.

Small transaction amounts: Large sums broken into many small transactions that fall below reporting thresholds.

Legitimate business fronts: Real businesses (restaurants, car washes, retail stores) mix illegal money with legitimate revenue.

Technology Security

Criminal operations employ enterprise-level cybersecurity:

Secure infrastructure: Investment in secure servers, encrypted databases, and backup systems that rival legitimate businesses.

Regular security audits: Technical experts test systems for vulnerabilities and improve security.

Access controls: Different members have different access levels based on role and seniority.

Incident response plans: Procedures for what to do if discovered, including quickly shutting down operations and destroying evidence.

Counter-surveillance: Active monitoring for signs of law enforcement investigation, including unusual network traffic or suspicious inquiries.

Criminal Innovation

Criminals constantly innovate and adapt their techniques.

Fraud-as-a-Service

Modern criminals offer subscription-based fraud services, just like legitimate software companies:

  • Monthly access to constantly updated stolen data feeds
  • Technical support for criminals who need help with fraud operations
  • Training programs that teach new criminals how to commit different types of fraud
  • Custom fraud tools developed specifically for a client's needs

Artificial Intelligence Integration

Criminals are using AI to make their attacks more sophisticated:

Voice cloning: AI can now create convincing audio recordings of anyone's voice from just a few minutes of sample audio. Criminals use this for "emergency" scams where they pretend to be a family member in trouble.

Deepfake video: AI-generated fake videos can now bypass video verification systems that banks use to confirm identity.

Automated social engineering: AI chatbots can now conduct romance scams, maintaining relationships with dozens of victims simultaneously.

Pattern analysis: Criminals use AI to analyze data and identify the most vulnerable targets for their scams.

Cryptocurrency Innovation

Criminals are constantly finding new ways to use cryptocurrency for money laundering:

Privacy coins: Cryptocurrencies like Monero and Zcash are designed to be truly anonymous, making them popular for criminal use.

DeFi protocols: Decentralized finance platforms allow complex financial transactions without traditional banking oversight.

NFT laundering: Criminals buy and sell digital art (NFTs) as a way to clean stolen money.

Cross-chain bridges: Technology that moves cryptocurrency between different blockchain networks, making transactions harder to trace.

Why This Matters for Fraud Analysts

Understanding criminal infrastructure helps fraud analysts do their jobs more effectively.

Understanding Scale

Individual vs. organized crime: Learn to recognize when you're dealing with sophisticated criminal organizations versus lone actors. Organizations have more resources and are more persistent.

Resource assessment: Organized criminals have access to better tools, more data, and more sophisticated techniques than individual criminals.

Persistence factor: Criminal organizations don't give up after one blocked attempt - they'll keep trying with different approaches.

Attack Patterns

Supply chain analysis: Understanding how criminal infrastructure works helps predict where attacks might come from next.

Seasonal patterns: Criminal markets have busy seasons (like holiday shopping) and slow periods that affect fraud patterns.

Geographic indicators: Knowing that different regions specialize in different attack types helps identify the source of fraud attempts.

Investigation Techniques

Follow the money: Understanding how money laundering works helps investigators trace stolen funds.

Infrastructure mapping: Learning to identify shared criminal infrastructure can connect seemingly separate fraud cases.

Timing analysis: Understanding how criminal workflows operate helps predict what criminals might do next.

The Economics of Criminal Operations

Understanding the business side of crime helps predict criminal behavior.

Cost Structure

Startup costs: It costs $1,000-$10,000 to begin basic fraud operations (buying initial data, tools, and infrastructure).

Operating expenses: Ongoing costs include purchasing fresh stolen data, maintaining tools and infrastructure, and paying money laundering fees.

Success rates: Most fraud attempts fail, so successful criminals focus on scaling the methods that work.

Profit Margins

The potential earnings vary widely based on sophistication and scale:

Small-scale operations: Individual criminals or small groups typically earn $10,000-$100,000 annually.

Medium operations: Well-organized regional groups can earn $100,000-$1 million annually.

Large organizations: Sophisticated international operations can generate $1 million-$100 million+ annually.

Risk vs. Reward

Low prosecution rates: Many cybercrimes go unpunished because of jurisdictional issues and the difficulty of international law enforcement cooperation.

High profit potential: Successful fraud operations can generate enormous returns on investment.

Scalability advantage: Digital crimes can be scaled to target thousands or millions of victims with minimal additional cost.

Criminal Adaptation

Criminals constantly evolve their techniques in response to new security measures.

Response to Security Measures

Criminals adapt quickly when new protections are implemented:

When chips were added to credit cards: Criminals shifted focus to "card-not-present" fraud (online transactions where you don't need the physical card).

When two-factor authentication was implemented: Criminals developed SIM swapping attacks (taking over phone numbers to receive authentication codes).

When machine learning fraud detection improved: Criminals began using synthetic identities (completely fake people) that are harder for algorithms to detect.

Technological Evolution

Criminal techniques have evolved dramatically over time:

From simple phishing emails: To highly sophisticated spear phishing campaigns that research individual targets.

From random mass attacks: To targeted attacks based on detailed data analysis of potential victims.

From manual operations: To fully automated, AI-powered "fraud factories" that can operate 24/7.

The Human Element

Despite all the technology, criminal operations still depend heavily on people.

Recruitment

Criminal organizations actively recruit talent:

  • Technical experts poached from legitimate technology companies
  • Desperate individuals facing financial hardship who are willing to take risks
  • Young people recruited through gaming platforms and social media
  • Company insiders at banks, retailers, and other businesses with access to valuable data

Training Programs

Successful criminal organizations invest in education:

  • Step-by-step fraud tutorials that teach specific techniques
  • Technical training on how to use specialized criminal tools and software
  • Customer service training for social engineering (teaching criminals how to manipulate victims)
  • Legal advice on how to avoid prosecution and minimize sentences if caught

Retention Strategies

Criminal organizations work to keep their best people:

  • Profit sharing that ensures everyone benefits from successful operations
  • Career advancement opportunities within the criminal organization
  • Protection services to help members avoid law enforcement
  • Social bonds and loyalty that make it hard for members to leave

Key Takeaways for Fraud Professionals

Think like a business analyst: Criminal operations face the same business pressures as legitimate companies - they need to manage costs, retain talent, and adapt to competition.

Follow the specialization: Understanding who does what in criminal organizations helps identify and disrupt criminal networks.

Watch for innovation: Criminals constantly evolve their techniques, so fraud analysts must stay current with new criminal methods.

Consider the economics: Understanding profit margins and cost structures helps predict how criminals will behave.

Remember the human element: Even the most sophisticated criminal operations rely on human psychology, relationships, and decision-making.

The criminal underground is not a chaotic mess of individual bad actors. It's a sophisticated, global economy with its own markets, supply chains, and business models. Understanding this infrastructure is essential for effective fraud detection and investigation.

The more you understand how criminals operate, the better you can predict, detect, and investigate their attacks.

Test Your Knowledge

Ready to test what you've learned? Take the quiz to reinforce your understanding.